prodlint 0.7.0 → 0.7.2

package/README.md

@@ -6,14 +6,14 @@
 
 The linter for vibe-coded apps.
 
-Cursor, v0, Bolt, and Copilot build fast. prodlint catches what they miss — hallucinated imports, missing auth, hardcoded secrets, unvalidated server actions, and the other production bugs that compile just fine. Zero config, no LLM, fast static analysis.
+Static analysis for vibe-coded apps. Catches the production bugs that Cursor, v0, Bolt, and Copilot write — hallucinated imports, missing auth, hardcoded secrets, unvalidated server actions, and more. Zero config, no LLM, 52 rules, under 100ms.
 
 ```bash
 npx prodlint
 ```
 
 ```
-  prodlint v0.6.0
+  prodlint v0.7.1
   Scanned 148 files · 3 critical · 5 warnings
 
   src/app/api/checkout/route.ts
@@ -140,7 +140,8 @@ npm i -g prodlint     # Global install
 
 prodlint avoids common false positives:
 
-- **AST parsing** — Babel-based analysis for loops, imports, and SQL templates with regex fallback
+- **AST parsing** — Babel-based analysis for 12 rules (imports, catch blocks, redirects, SSRF, path traversal, JWT, HTML injection, hydration, transactions, env leaks, loops, SQL) with regex fallback
+- **Monorepo support** — npm/yarn/pnpm workspace dependencies resolved automatically
 - **Framework awareness** — Prisma, Drizzle, Supabase, Knex, and Sequelize whitelists prevent false SQL injection flags
 - **Middleware detection** — Clerk, NextAuth, Supabase middleware detected — auth findings downgraded
 - **Block comment awareness** — patterns inside `/* */` are ignored
@@ -218,6 +219,14 @@ claude mcp add prodlint npx prodlint-mcp
 
 Ask your AI: *"Run prodlint on this project"* and it calls the `scan` tool directly.
 
+## For AI Tools
+
+- **LLM-friendly docs**: [prodlint.com/llms.txt](https://prodlint.com/llms.txt) — concise project summary for LLMs
+- **Full reference**: [prodlint.com/llms-full.txt](https://prodlint.com/llms-full.txt) — all 52 rules with details
+- **MCP setup guide**: [prodlint.com/mcp](https://prodlint.com/mcp) — detailed editor setup for Claude Code, Cursor, Windsurf
+
+prodlint is designed specifically for AI-generated code patterns. Every rule targets bugs that AI coding tools consistently produce — not style nits.
+
 ## Suppression
 
 Suppress a single line:

package/dist/cli.js

@@ -76,7 +76,10 @@ function isTestFile(relativePath) {
   return /\.(test|spec)\.[jt]sx?$/.test(relativePath) || /(?:^|\/)__tests__\//.test(relativePath) || /(?:^|\/)tests?\//.test(relativePath) || /(?:^|\/)fixtures?\//.test(relativePath) || /(?:^|\/)mocks?\//.test(relativePath);
 }
 function isScriptFile(relativePath) {
-  return /(?:^|\/)scripts?\//.test(relativePath);
+  if (/(?:^|\/)scripts?\//.test(relativePath)) return true;
+  const name = relativePath.split("/").pop() ?? "";
+  const base = name.replace(/\.[^.]+$/, "");
+  return /^(seed|migrate|setup|bootstrap|generate|codegen|sync|deploy|cleanup|reset)$/.test(base);
 }
 function isConfigFile(relativePath) {
   const name = relativePath.split("/").pop() ?? "";
@@ -245,6 +248,25 @@ function findLoopsAST(ast) {
   });
   return loops;
 }
+function getImportSources(ast) {
+  const sources = [];
+  walkAST(ast.program, (node) => {
+    if (node.type === "ImportDeclaration") {
+      const decl = node;
+      sources.push({ source: decl.source.value, line: decl.loc?.start.line ?? 1 });
+    }
+    if (node.type === "CallExpression") {
+      const call = node;
+      if (call.callee.type === "Identifier" && call.callee.name === "require" && call.arguments.length === 1 && call.arguments[0].type === "StringLiteral") {
+        sources.push({ source: call.arguments[0].value, line: node.loc?.start.line ?? 1 });
+      }
+      if (call.callee.type === "Import" && call.arguments.length >= 1 && call.arguments[0].type === "StringLiteral") {
+        sources.push({ source: call.arguments[0].value, line: node.loc?.start.line ?? 1 });
+      }
+    }
+  });
+  return sources;
+}
 function isUserInputNode(node) {
   if (node.type === "MemberExpression") {
     const mem = node;
@@ -439,6 +461,66 @@ async function readFileContext(root, relativePath) {
     return null;
   }
 }
+async function getWorkspacePatterns(root, packageJson) {
+  const patterns = [];
+  if (packageJson) {
+    const workspaces = packageJson.workspaces;
+    if (Array.isArray(workspaces)) {
+      patterns.push(...workspaces);
+    } else if (workspaces && typeof workspaces === "object" && Array.isArray(workspaces.packages)) {
+      patterns.push(...workspaces.packages);
+    }
+  }
+  try {
+    const raw = await readFile(resolve(root, "pnpm-workspace.yaml"), "utf-8");
+    let inPackages = false;
+    for (const line of raw.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (/^packages\s*:/.test(trimmed)) {
+        inPackages = true;
+        continue;
+      }
+      if (inPackages) {
+        if (/^-\s+/.test(trimmed)) {
+          const glob = trimmed.replace(/^-\s+/, "").replace(/^['"]|['"]$/g, "");
+          if (glob) patterns.push(glob);
+        } else if (trimmed && !trimmed.startsWith("#")) {
+          break;
+        }
+      }
+    }
+  } catch {
+  }
+  return patterns;
+}
+async function collectWorkspaceDependencies(root, patterns) {
+  const deps = /* @__PURE__ */ new Set();
+  const globPatterns = patterns.map((p) => `${p}/package.json`);
+  try {
+    const pkgFiles = await fg(globPatterns, {
+      cwd: root,
+      absolute: false,
+      ignore: ["**/node_modules/**"]
+    });
+    for (const pkgFile of pkgFiles) {
+      try {
+        const raw = await readFile(resolve(root, pkgFile), "utf-8");
+        const pkg = JSON.parse(raw);
+        if (pkg.name) deps.add(pkg.name);
+        for (const key of ["dependencies", "devDependencies", "peerDependencies"]) {
+          if (pkg[key] && typeof pkg[key] === "object") {
+            for (const dep of Object.keys(pkg[key])) {
+              deps.add(dep);
+            }
+          }
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return deps;
+}
 async function buildProjectContext(root, files) {
   let packageJson = null;
   let declaredDependencies = /* @__PURE__ */ new Set();
@@ -457,19 +539,26 @@ async function buildProjectContext(root, files) {
       ...packageJson?.peerDependencies ?? {}
     };
     declaredDependencies = new Set(Object.keys(deps));
-    for (const dep of declaredDependencies) {
-      const framework = DEPENDENCY_TO_FRAMEWORK[dep];
-      if (framework) {
-        detectedFrameworks.add(framework);
-      }
+  } catch {
+  }
+  const workspacePatterns = await getWorkspacePatterns(root, packageJson);
+  if (workspacePatterns.length > 0) {
+    const workspaceDeps = await collectWorkspaceDependencies(root, workspacePatterns);
+    for (const dep of workspaceDeps) {
+      declaredDependencies.add(dep);
     }
-    for (const framework of detectedFrameworks) {
-      if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
-        hasRateLimiting = true;
-        break;
-      }
+  }
+  for (const dep of declaredDependencies) {
+    const framework = DEPENDENCY_TO_FRAMEWORK[dep];
+    if (framework) {
+      detectedFrameworks.add(framework);
+    }
+  }
+  for (const framework of detectedFrameworks) {
+    if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
+      hasRateLimiting = true;
+      break;
     }
-  } catch {
   }
   try {
     const raw = await readFile(resolve(root, "tsconfig.json"), "utf-8");
@@ -724,6 +813,32 @@ var hallucinatedImportsRule = {
     const findings = [];
     const seen = /* @__PURE__ */ new Set();
     const isNonProd = isTestFile(file.relativePath) || isScriptFile(file.relativePath);
+    if (file.ast) {
+      try {
+        const imports = getImportSources(file.ast);
+        for (const { source: importPath, line } of imports) {
+          if (importPath.startsWith(".") || importPath.startsWith("/")) continue;
+          const pkgName = getPackageName(importPath);
+          if (seen.has(pkgName)) continue;
+          seen.add(pkgName);
+          if (isPathAlias(importPath, project.tsconfigPaths)) continue;
+          if (isNodeBuiltin(pkgName)) continue;
+          if (IMPLICIT_PACKAGES.has(importPath) || IMPLICIT_PACKAGES.has(pkgName)) continue;
+          if (project.declaredDependencies.has(pkgName)) continue;
+          findings.push({
+            ruleId: "hallucinated-imports",
+            file: file.relativePath,
+            line,
+            column: 1,
+            message: `Package "${pkgName}" is imported but not in package.json`,
+            severity: isNonProd ? "warning" : "critical",
+            category: "reliability"
+          });
+        }
+        return findings;
+      } catch {
+      }
+    }
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
@@ -2255,8 +2370,14 @@ function scoreCatchBody(bodyLines) {
   const body = bodyLines.join("\n");
   let score = 0;
   if (/console\.(log|warn|error|info)\s*\(/.test(body)) score = 1;
-  if (/console\.(error|warn)\s*\(/.test(body) && /\b(err|error|e)\b/.test(body)) score = 2;
-  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body)) {
+  if ((/console\.(error|warn)\s*\(/.test(body) || /\b(logger|log)\.(error|warn)\s*\(/.test(body)) && /\b(err|error|e)\b/.test(body)) score = 2;
+  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body) || // Toast notifications (react-toastify, sonner, shadcn)
+  /\btoast\.(error|warn|warning)\s*\(/.test(body) || /\btoast\s*\(\s*\{/.test(body) || // Error monitoring (Sentry, etc.)
+  /\b(Sentry\.)?captureException\s*\(/.test(body) || /\b(Sentry\.)?captureMessage\s*\(/.test(body) || // Structured loggers
+  /\b(logger|log)\.(error|fatal)\s*\(/.test(body) || // Error handler utilities
+  /\b(handleError|reportError|logError|notifyError|showError|onError|trackError)\s*\(/.test(body) || // Express middleware: next(err)
+  /\bnext\s*\(\s*(err|error|e)\s*\)/.test(body) || // Next.js notFound()
+  /\bnotFound\s*\(/.test(body)) {
     score = 3;
   }
   const labels = {
@@ -2288,7 +2409,7 @@ var shallowCatchRule = {
           if (!body || !body.loc) return;
           const bodyStart = body.loc.start.line - 1;
           const bodyEnd = body.loc.end.line - 1;
-          const bodyLines = file.lines.slice(bodyStart + 1, bodyEnd);
+          const bodyLines = bodyStart === bodyEnd ? [file.lines[bodyStart]] : file.lines.slice(bodyStart + 1, bodyEnd);
           const { score, label } = scoreCatchBody(bodyLines);
           if (score <= 1) {
             findings.push({

package/dist/index.js

@@ -71,7 +71,10 @@ function isTestFile(relativePath) {
   return /\.(test|spec)\.[jt]sx?$/.test(relativePath) || /(?:^|\/)__tests__\//.test(relativePath) || /(?:^|\/)tests?\//.test(relativePath) || /(?:^|\/)fixtures?\//.test(relativePath) || /(?:^|\/)mocks?\//.test(relativePath);
 }
 function isScriptFile(relativePath) {
-  return /(?:^|\/)scripts?\//.test(relativePath);
+  if (/(?:^|\/)scripts?\//.test(relativePath)) return true;
+  const name = relativePath.split("/").pop() ?? "";
+  const base = name.replace(/\.[^.]+$/, "");
+  return /^(seed|migrate|setup|bootstrap|generate|codegen|sync|deploy|cleanup|reset)$/.test(base);
 }
 function isConfigFile(relativePath) {
   const name = relativePath.split("/").pop() ?? "";
@@ -240,6 +243,25 @@ function findLoopsAST(ast) {
   });
   return loops;
 }
+function getImportSources(ast) {
+  const sources = [];
+  walkAST(ast.program, (node) => {
+    if (node.type === "ImportDeclaration") {
+      const decl = node;
+      sources.push({ source: decl.source.value, line: decl.loc?.start.line ?? 1 });
+    }
+    if (node.type === "CallExpression") {
+      const call = node;
+      if (call.callee.type === "Identifier" && call.callee.name === "require" && call.arguments.length === 1 && call.arguments[0].type === "StringLiteral") {
+        sources.push({ source: call.arguments[0].value, line: node.loc?.start.line ?? 1 });
+      }
+      if (call.callee.type === "Import" && call.arguments.length >= 1 && call.arguments[0].type === "StringLiteral") {
+        sources.push({ source: call.arguments[0].value, line: node.loc?.start.line ?? 1 });
+      }
+    }
+  });
+  return sources;
+}
 function isUserInputNode(node) {
   if (node.type === "MemberExpression") {
     const mem = node;
@@ -434,6 +456,66 @@ async function readFileContext(root, relativePath) {
     return null;
   }
 }
+async function getWorkspacePatterns(root, packageJson) {
+  const patterns = [];
+  if (packageJson) {
+    const workspaces = packageJson.workspaces;
+    if (Array.isArray(workspaces)) {
+      patterns.push(...workspaces);
+    } else if (workspaces && typeof workspaces === "object" && Array.isArray(workspaces.packages)) {
+      patterns.push(...workspaces.packages);
+    }
+  }
+  try {
+    const raw = await readFile(resolve(root, "pnpm-workspace.yaml"), "utf-8");
+    let inPackages = false;
+    for (const line of raw.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (/^packages\s*:/.test(trimmed)) {
+        inPackages = true;
+        continue;
+      }
+      if (inPackages) {
+        if (/^-\s+/.test(trimmed)) {
+          const glob = trimmed.replace(/^-\s+/, "").replace(/^['"]|['"]$/g, "");
+          if (glob) patterns.push(glob);
+        } else if (trimmed && !trimmed.startsWith("#")) {
+          break;
+        }
+      }
+    }
+  } catch {
+  }
+  return patterns;
+}
+async function collectWorkspaceDependencies(root, patterns) {
+  const deps = /* @__PURE__ */ new Set();
+  const globPatterns = patterns.map((p) => `${p}/package.json`);
+  try {
+    const pkgFiles = await fg(globPatterns, {
+      cwd: root,
+      absolute: false,
+      ignore: ["**/node_modules/**"]
+    });
+    for (const pkgFile of pkgFiles) {
+      try {
+        const raw = await readFile(resolve(root, pkgFile), "utf-8");
+        const pkg = JSON.parse(raw);
+        if (pkg.name) deps.add(pkg.name);
+        for (const key of ["dependencies", "devDependencies", "peerDependencies"]) {
+          if (pkg[key] && typeof pkg[key] === "object") {
+            for (const dep of Object.keys(pkg[key])) {
+              deps.add(dep);
+            }
+          }
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return deps;
+}
 async function buildProjectContext(root, files) {
   let packageJson = null;
   let declaredDependencies = /* @__PURE__ */ new Set();
@@ -452,19 +534,26 @@ async function buildProjectContext(root, files) {
       ...packageJson?.peerDependencies ?? {}
     };
     declaredDependencies = new Set(Object.keys(deps));
-    for (const dep of declaredDependencies) {
-      const framework = DEPENDENCY_TO_FRAMEWORK[dep];
-      if (framework) {
-        detectedFrameworks.add(framework);
-      }
+  } catch {
+  }
+  const workspacePatterns = await getWorkspacePatterns(root, packageJson);
+  if (workspacePatterns.length > 0) {
+    const workspaceDeps = await collectWorkspaceDependencies(root, workspacePatterns);
+    for (const dep of workspaceDeps) {
+      declaredDependencies.add(dep);
     }
-    for (const framework of detectedFrameworks) {
-      if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
-        hasRateLimiting = true;
-        break;
-      }
+  }
+  for (const dep of declaredDependencies) {
+    const framework = DEPENDENCY_TO_FRAMEWORK[dep];
+    if (framework) {
+      detectedFrameworks.add(framework);
+    }
+  }
+  for (const framework of detectedFrameworks) {
+    if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
+      hasRateLimiting = true;
+      break;
     }
-  } catch {
   }
   try {
     const raw = await readFile(resolve(root, "tsconfig.json"), "utf-8");
@@ -719,6 +808,32 @@ var hallucinatedImportsRule = {
     const findings = [];
     const seen = /* @__PURE__ */ new Set();
     const isNonProd = isTestFile(file.relativePath) || isScriptFile(file.relativePath);
+    if (file.ast) {
+      try {
+        const imports = getImportSources(file.ast);
+        for (const { source: importPath, line } of imports) {
+          if (importPath.startsWith(".") || importPath.startsWith("/")) continue;
+          const pkgName = getPackageName(importPath);
+          if (seen.has(pkgName)) continue;
+          seen.add(pkgName);
+          if (isPathAlias(importPath, project.tsconfigPaths)) continue;
+          if (isNodeBuiltin(pkgName)) continue;
+          if (IMPLICIT_PACKAGES.has(importPath) || IMPLICIT_PACKAGES.has(pkgName)) continue;
+          if (project.declaredDependencies.has(pkgName)) continue;
+          findings.push({
+            ruleId: "hallucinated-imports",
+            file: file.relativePath,
+            line,
+            column: 1,
+            message: `Package "${pkgName}" is imported but not in package.json`,
+            severity: isNonProd ? "warning" : "critical",
+            category: "reliability"
+          });
+        }
+        return findings;
+      } catch {
+      }
+    }
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
@@ -2250,8 +2365,14 @@ function scoreCatchBody(bodyLines) {
   const body = bodyLines.join("\n");
   let score = 0;
   if (/console\.(log|warn|error|info)\s*\(/.test(body)) score = 1;
-  if (/console\.(error|warn)\s*\(/.test(body) && /\b(err|error|e)\b/.test(body)) score = 2;
-  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body)) {
+  if ((/console\.(error|warn)\s*\(/.test(body) || /\b(logger|log)\.(error|warn)\s*\(/.test(body)) && /\b(err|error|e)\b/.test(body)) score = 2;
+  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body) || // Toast notifications (react-toastify, sonner, shadcn)
+  /\btoast\.(error|warn|warning)\s*\(/.test(body) || /\btoast\s*\(\s*\{/.test(body) || // Error monitoring (Sentry, etc.)
+  /\b(Sentry\.)?captureException\s*\(/.test(body) || /\b(Sentry\.)?captureMessage\s*\(/.test(body) || // Structured loggers
+  /\b(logger|log)\.(error|fatal)\s*\(/.test(body) || // Error handler utilities
+  /\b(handleError|reportError|logError|notifyError|showError|onError|trackError)\s*\(/.test(body) || // Express middleware: next(err)
+  /\bnext\s*\(\s*(err|error|e)\s*\)/.test(body) || // Next.js notFound()
+  /\bnotFound\s*\(/.test(body)) {
     score = 3;
   }
   const labels = {
@@ -2283,7 +2404,7 @@ var shallowCatchRule = {
           if (!body || !body.loc) return;
           const bodyStart = body.loc.start.line - 1;
           const bodyEnd = body.loc.end.line - 1;
-          const bodyLines = file.lines.slice(bodyStart + 1, bodyEnd);
+          const bodyLines = bodyStart === bodyEnd ? [file.lines[bodyStart]] : file.lines.slice(bodyStart + 1, bodyEnd);
           const { score, label } = scoreCatchBody(bodyLines);
           if (score <= 1) {
             findings.push({

package/dist/mcp.js

@@ -80,7 +80,10 @@ function isTestFile(relativePath) {
   return /\.(test|spec)\.[jt]sx?$/.test(relativePath) || /(?:^|\/)__tests__\//.test(relativePath) || /(?:^|\/)tests?\//.test(relativePath) || /(?:^|\/)fixtures?\//.test(relativePath) || /(?:^|\/)mocks?\//.test(relativePath);
 }
 function isScriptFile(relativePath) {
-  return /(?:^|\/)scripts?\//.test(relativePath);
+  if (/(?:^|\/)scripts?\//.test(relativePath)) return true;
+  const name = relativePath.split("/").pop() ?? "";
+  const base = name.replace(/\.[^.]+$/, "");
+  return /^(seed|migrate|setup|bootstrap|generate|codegen|sync|deploy|cleanup|reset)$/.test(base);
 }
 function isConfigFile(relativePath) {
   const name = relativePath.split("/").pop() ?? "";
@@ -249,6 +252,25 @@ function findLoopsAST(ast) {
   });
   return loops;
 }
+function getImportSources(ast) {
+  const sources = [];
+  walkAST(ast.program, (node) => {
+    if (node.type === "ImportDeclaration") {
+      const decl = node;
+      sources.push({ source: decl.source.value, line: decl.loc?.start.line ?? 1 });
+    }
+    if (node.type === "CallExpression") {
+      const call = node;
+      if (call.callee.type === "Identifier" && call.callee.name === "require" && call.arguments.length === 1 && call.arguments[0].type === "StringLiteral") {
+        sources.push({ source: call.arguments[0].value, line: node.loc?.start.line ?? 1 });
+      }
+      if (call.callee.type === "Import" && call.arguments.length >= 1 && call.arguments[0].type === "StringLiteral") {
+        sources.push({ source: call.arguments[0].value, line: node.loc?.start.line ?? 1 });
+      }
+    }
+  });
+  return sources;
+}
 function isUserInputNode(node) {
   if (node.type === "MemberExpression") {
     const mem = node;
@@ -443,6 +465,66 @@ async function readFileContext(root, relativePath) {
     return null;
   }
 }
+async function getWorkspacePatterns(root, packageJson) {
+  const patterns = [];
+  if (packageJson) {
+    const workspaces = packageJson.workspaces;
+    if (Array.isArray(workspaces)) {
+      patterns.push(...workspaces);
+    } else if (workspaces && typeof workspaces === "object" && Array.isArray(workspaces.packages)) {
+      patterns.push(...workspaces.packages);
+    }
+  }
+  try {
+    const raw = await readFile(resolve(root, "pnpm-workspace.yaml"), "utf-8");
+    let inPackages = false;
+    for (const line of raw.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (/^packages\s*:/.test(trimmed)) {
+        inPackages = true;
+        continue;
+      }
+      if (inPackages) {
+        if (/^-\s+/.test(trimmed)) {
+          const glob = trimmed.replace(/^-\s+/, "").replace(/^['"]|['"]$/g, "");
+          if (glob) patterns.push(glob);
+        } else if (trimmed && !trimmed.startsWith("#")) {
+          break;
+        }
+      }
+    }
+  } catch {
+  }
+  return patterns;
+}
+async function collectWorkspaceDependencies(root, patterns) {
+  const deps = /* @__PURE__ */ new Set();
+  const globPatterns = patterns.map((p) => `${p}/package.json`);
+  try {
+    const pkgFiles = await fg(globPatterns, {
+      cwd: root,
+      absolute: false,
+      ignore: ["**/node_modules/**"]
+    });
+    for (const pkgFile of pkgFiles) {
+      try {
+        const raw = await readFile(resolve(root, pkgFile), "utf-8");
+        const pkg = JSON.parse(raw);
+        if (pkg.name) deps.add(pkg.name);
+        for (const key of ["dependencies", "devDependencies", "peerDependencies"]) {
+          if (pkg[key] && typeof pkg[key] === "object") {
+            for (const dep of Object.keys(pkg[key])) {
+              deps.add(dep);
+            }
+          }
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return deps;
+}
 async function buildProjectContext(root, files) {
   let packageJson = null;
   let declaredDependencies = /* @__PURE__ */ new Set();
@@ -461,19 +543,26 @@ async function buildProjectContext(root, files) {
       ...packageJson?.peerDependencies ?? {}
     };
     declaredDependencies = new Set(Object.keys(deps));
-    for (const dep of declaredDependencies) {
-      const framework = DEPENDENCY_TO_FRAMEWORK[dep];
-      if (framework) {
-        detectedFrameworks.add(framework);
-      }
+  } catch {
+  }
+  const workspacePatterns = await getWorkspacePatterns(root, packageJson);
+  if (workspacePatterns.length > 0) {
+    const workspaceDeps = await collectWorkspaceDependencies(root, workspacePatterns);
+    for (const dep of workspaceDeps) {
+      declaredDependencies.add(dep);
     }
-    for (const framework of detectedFrameworks) {
-      if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
-        hasRateLimiting = true;
-        break;
-      }
+  }
+  for (const dep of declaredDependencies) {
+    const framework = DEPENDENCY_TO_FRAMEWORK[dep];
+    if (framework) {
+      detectedFrameworks.add(framework);
+    }
+  }
+  for (const framework of detectedFrameworks) {
+    if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
+      hasRateLimiting = true;
+      break;
     }
-  } catch {
   }
   try {
     const raw = await readFile(resolve(root, "tsconfig.json"), "utf-8");
@@ -728,6 +817,32 @@ var hallucinatedImportsRule = {
     const findings = [];
     const seen = /* @__PURE__ */ new Set();
     const isNonProd = isTestFile(file.relativePath) || isScriptFile(file.relativePath);
+    if (file.ast) {
+      try {
+        const imports = getImportSources(file.ast);
+        for (const { source: importPath, line } of imports) {
+          if (importPath.startsWith(".") || importPath.startsWith("/")) continue;
+          const pkgName = getPackageName(importPath);
+          if (seen.has(pkgName)) continue;
+          seen.add(pkgName);
+          if (isPathAlias(importPath, project.tsconfigPaths)) continue;
+          if (isNodeBuiltin(pkgName)) continue;
+          if (IMPLICIT_PACKAGES.has(importPath) || IMPLICIT_PACKAGES.has(pkgName)) continue;
+          if (project.declaredDependencies.has(pkgName)) continue;
+          findings.push({
+            ruleId: "hallucinated-imports",
+            file: file.relativePath,
+            line,
+            column: 1,
+            message: `Package "${pkgName}" is imported but not in package.json`,
+            severity: isNonProd ? "warning" : "critical",
+            category: "reliability"
+          });
+        }
+        return findings;
+      } catch {
+      }
+    }
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
@@ -2259,8 +2374,14 @@ function scoreCatchBody(bodyLines) {
   const body = bodyLines.join("\n");
   let score = 0;
   if (/console\.(log|warn|error|info)\s*\(/.test(body)) score = 1;
-  if (/console\.(error|warn)\s*\(/.test(body) && /\b(err|error|e)\b/.test(body)) score = 2;
-  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body)) {
+  if ((/console\.(error|warn)\s*\(/.test(body) || /\b(logger|log)\.(error|warn)\s*\(/.test(body)) && /\b(err|error|e)\b/.test(body)) score = 2;
+  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body) || // Toast notifications (react-toastify, sonner, shadcn)
+  /\btoast\.(error|warn|warning)\s*\(/.test(body) || /\btoast\s*\(\s*\{/.test(body) || // Error monitoring (Sentry, etc.)
+  /\b(Sentry\.)?captureException\s*\(/.test(body) || /\b(Sentry\.)?captureMessage\s*\(/.test(body) || // Structured loggers
+  /\b(logger|log)\.(error|fatal)\s*\(/.test(body) || // Error handler utilities
+  /\b(handleError|reportError|logError|notifyError|showError|onError|trackError)\s*\(/.test(body) || // Express middleware: next(err)
+  /\bnext\s*\(\s*(err|error|e)\s*\)/.test(body) || // Next.js notFound()
+  /\bnotFound\s*\(/.test(body)) {
     score = 3;
   }
   const labels = {
@@ -2292,7 +2413,7 @@ var shallowCatchRule = {
           if (!body || !body.loc) return;
           const bodyStart = body.loc.start.line - 1;
           const bodyEnd = body.loc.end.line - 1;
-          const bodyLines = file.lines.slice(bodyStart + 1, bodyEnd);
+          const bodyLines = bodyStart === bodyEnd ? [file.lines[bodyStart]] : file.lines.slice(bodyStart + 1, bodyEnd);
           const { score, label } = scoreCatchBody(bodyLines);
           if (score <= 1) {
             findings.push({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "prodlint",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "description": "The linter for vibe-coded apps — catch what AI coding tools miss",
   "license": "MIT",
   "author": "prodlint contributors",
@@ -13,6 +13,7 @@
     "url": "https://github.com/prodlint/prodlint/issues"
   },
   "homepage": "https://prodlint.com",
+  "mcpName": "io.github.Anthony-Marcovecchio/prodlint",
   "bin": {
     "prodlint": "./dist/cli.js",
     "prodlint-mcp": "./dist/mcp.js"
@@ -78,6 +79,12 @@
     "mcp-server",
     "cursor",
     "copilot",
+    "v0",
+    "bolt",
+    "windsurf",
+    "claude",
+    "github-action",
+    "eslint-alternative",
     "devtools"
   ]
 }